5.1 The Orchestrate Server Object

The object highest in the Explorer Tree is the Orchestrate Server Object, sometimes called the “grid server” object because it represents the PlateSpin Orchestrate Server acting as the holding place for all of the information used to manage objects for a single computing grid.

The PlateSpin Orchestrate Development Client is “version aware.” When the Orchestrate Development Client is launched or when server discovery is manually run, the client recognizes both current PlateSpin Orchestrate installations and old installations of discovered servers and displays their icons accordingly. This visual cue helps you to recognize when older Orchestrate Servers need to be upgraded.

Figure 5-1 Current and “Old” Server Objects

The tool tip for a Orchestrate Server lists its RMI configuration, its IP address, the directory location where the server instance was installed, and its exact version number.

The icons to the right of a current Orchestrate Server represent its polices, either those added by default upon server install and configuration, or those added later. A drop-down menu of all associated policies is opened when you right-click the policy icon(s). From there, you can select a policy to open in the Policy Editor. For more information about policies, see Section 5.8.1, The Policy Object.

When selected, the Server Object exposes four tabs where you can further configure its attributes. Further information about these tabs is available in the following sections:

5.1.1 The Orchestrate Server Info/Configuration Tab

The page that opens under the Info/Configuration tab includes several collapsible sections on the page where you can configure the general information and attributes of the server.

Server/Cluster

If you are using this server in a High Availability environment, the information in this section is populated as a result of the configuration you managed during the High Availability installation. The following items are included in the section:

Server Version: This non-editable field lists the version of this server in the form <major>.<minor>.<point>.<build_number>. This is the data for the fact ”matrix.version”.

Is Master Server: This check box in non High Availability cluster configurations. It is unchecked if the server is not the Master Server in a High Availability cluster configuration.

Master Server Address: Set this value when the Orchestrate Server participates in a High Availability cluster.

External Cluster Address: Set this value when the Orchestrate Server participates in a High Availability cluster.

Cluster Addresses: This list shows the hostname(s) or IP Address(es) associated with a Orchestrate Server when it configured in a High Availability configuration.

The button opens the Attribute element values dialog box, where you can add, remove, or reorder addresses (element values) in an array of address choices.

For more information about using PlateSpin Orchestrate in a High Availability environment, see the PlateSpin Orchestrate 2.0 High Availability Configuration Guide.

Data Grid Configuration

This section of the Info/Configuration tab allows for advanced configuration of datagrid related tuning parameters. The properties on the page and their descriptions are listed below.

Data Grid Root: This field sets the location of the PlateSpin Orchestrate datagrid in the file system. For example, you might change this location to use a different file system mount point (recommended when there is a lot of datagrid I/O).

Cleanup Interval: This is the interval at which the Orchestrate Server scans through user job history files on the datagrid. Job history files older than the owning user’s job history retention time limit (user.datagrid.maxhistory) are deleted.

Cleanup Interval Enabled: Select this check box to set a flag to enable periodic job history cleanup checking. Deselect to disable the checking.

Default Multicast Rate: This field sets the default data rate in bytes per second for multicast operations in which the client has not explicitly set a rate for a particular file transfer.

Max Multicast Rate: This field sets the maximum data rate in bytes per second that a client can specify for a multicast file transfer.

Selected Interfaces: This field names the interfaces on which multicast file transfers are to be sent. This allows an administrator to limit multicast traffic to specific interfaces (that is, the interfaces where the agents are connected). You can add or delete interfaces by clicking the button.

Available Interfaces: This field list lists the network interfaces that are available on the local machine for multicasting.

NOTE:The property is “read-only” and is provided for your information.

Multicast Metrics: This panel lets you monitor multicast data transfer, including:

  • Total Packets Sent: The total number of multicast data packets sent by the file multicaster since the last reset of the counters.

  • Total Packets Resent: The total number of multicast packets resent due to errors since the last counter reset.

  • Total Resend Rate: The total packet resend rate as a percentage since the last counter reset.

  • Current Packets Sent: The total number of multicast packets sent during the current or most recent multicast file transfer.

  • Current Packets Resent: The total number of multicast packets resent due to errors, corruption, or loss during the current or most recent multicast file transfer.

  • Current Resend Rate: The packet resend rate as a percentage of packets sent since the start of the current or most recent multicast file transfer.

  • Current File Size: The file size in bytes for the current or most recent multicast file transfer.

  • Current Bytes Sent: The number of bytes sent so far in the current or most recent multicast file transfer.

  • Current Percent Complete: The completion percentage of the current or most recent multicast file transfer.

  • Skipped (Sparse) Bytes: The umber of bytes skipped because of long runs of zeros. These “holes” are skipped in order to reduce file transfer time for large sparse files like VM images.

  • Current Receiver Count: The number of recipient agents for the current or most recent multicast file transfer.

  • Current File Name: The name of the file transferred in the current or most recent multicast file transfer.

The data list includes a check box that is selected if the current multicast transfer is finished. It also includes a Reset Stats button that you can select to clear the total metrics in order to begin monitoring multicast statistics from a new point in time.

Security/TLS Configuration

This section lets you configure TLS (or SSL) data encryption for both user and agent connections. There are four different levels of encryption that may be set for both users and nodes. These are described below. The properties in this section also let the TCP/IP socket listener address and port for TLS connections to be configured.

TLS On Agent: This setting allows the encryption level to be set to one of four values, as described (in order of security level) below.

  • Forbid TLS for agents

    Only unencrypted connections are allowed for nodes (that is, agents) authenticating to this server. If the agent attempts to initiate encrypted communication, the connection attempt is rejected. This is the least secure of the encryption levels and is only recommended for installations where encryption is forbidden due to legal or policy restrictions, or where the performance benefits of disabling encryption outweigh security concerns.

  • Allow TLS on the agents; default to falling back to unencrypted

    This level specifies that the server defaults to unencrypted communication, but that the agent can optionally enable encryption.

    This is the default setting for the Orchestrate Server. More secure installations might require a setting to one of the higher levels below.

  • Allow TLS on the agents; default to TLS encrypted if not configured encrypted

    The server defaults to using encryption, but the agent can optionally disable encryption.

  • Make TLS mandatory on the agents

    The Orchestrate Server rejects any connections that do not establish TLS encryption. This is the most secure encryption level because it ensures that all message communication between the node (that is, an agent) and the server are protected from tampering or interception.

TLS On Client: This setting allows the encryption level to be set to one of four values, as described (in order of security level) below.

  • Forbid TLS for clients

    Only unencrypted connections are allowed for users of this server. If the user or client attempts to initiate encrypted communication, the connection attempt is rejected. This is the least secure of the encryption levels and is only recommended for installations where encryption is forbidden due to legal or policy restrictions, or where the performance benefits of disabling encryption outweigh security concerns.

  • Allow TLS on the clients; default to falling back to unencrypted

    This level specifies that the server defaults to unencrypted communication, but that the user can optionally enable encryption.

    This is the default setting for the Orchestrate Server. More secure installations might require a setting to one of the higher levels below.

  • Allow TLS on the agents; default to TLS encrypted if not configured encrypted

    The server defaults to using encryption, but the user can optionally disable encryption.

  • Make TLS mandatory on the clients

    The Orchestrate Server rejects any connections that do not establish TLS encryption. This is the most secure encryption level because it ensures that all message communication between the user’s client programs and the server are protected from tampering or interception.

TLS Address: This is the port number and optional bind address for incoming encrypted connections from users and nodes. The format is hostname:port. For example, 10.10.10.10:8101 causes the server to accept only TLS connections on the address 10.10.10.10 on port 8101. If “*” is used as the host name, then the Orchestrate Server listens on all available network interfaces. The default is *:8101, which causes the Orchestrate Server to listen for encrypted sessions on all available interfaces on the system.

Agent/User Session Configuration

When nodes (agents) and users log on to the Orchestrate Server, they establish a session context used to manage the state of the messaging connection between client and server. This session can be revoked by the administrator, and it can also expire if the connection exceeds its maximum lifetime or idle timeout.

  • Agent Session Lifetime: The maximum number of seconds that an agent’s session can last before the agent is disconnected and must re-authenticate with the server. A value of -1” means “forever.”

  • Agent Session Timeout: The idle timeout for agents. If an agent connection remains idle with no message traffic in either direction for this time period (in seconds), the session times out, the agent is disconnected and must reauthenticate when it is ready to communicate with the server again.

  • Socket Keeps Agent Sessions Alive: Select this check box to set a flag that causes the server and agent to maintain a keep alive “ping” in order to detect hung/stalled network connections. This allows the agent to recover from hung connections and to transparently reconnect with the server.

  • User Session Lifetime: The maximum number of seconds that a user’s session can last before the user is required to re-authenticate with the server. A value of -1 means “forever.”

  • User Session Timeout: This is the idle timeout (in seconds) for user sessions. If a user’s session encounters no message traffic or requests in either direction for time, then any connection with user software is closed and the session expires. At this point, the user must re-authenticate.

  • Socket Keeps User Sessions Alive: Select this check box to set a flag that causes the server and user client to maintain a keep alive “ping” in order to detect hung/stalled network connections. This allows the agent to recover from hung connections and to transparently reconnect an with the server. This setting applies only in situations where you are using custom user client software or certain subcommands of the zos command line utility to maintain a long-lived connection.

Audit Database Configuration

This section of the Info/Configuration page lets you configure the connection to a relational database that uses a deployed JDBC driver and connection properties. The PostgreSQL driver is deployed by default.

  • JDBC Driver Name: Specifies the Java class for the driver.

  • JDBC Library: Specifies the deployed library that contains the driver.

  • JDBC Connection URL: Specifies the driver-dependent connection string.

  • Database Username: Specifies the username for database authentication.

  • Database Password: Specifies the password to be used for database authentication.

  • Is Connected: When selected, this indicates that the driver is successfully connected.

  • Connect (button): Click to connect using the current connection settings.

  • Disconnect (button): Click to disconnect the current connection.

  • Clear Queue (button): Clear queued records that have not yet been written to the database.

job.limits

The facts in this section of the page are used in the default constraints to help protect the Orchestrate Server from denial of service type attacks or badly written jobs and might otherwise get stuck in the server queue, consume resources and cause adverse server performance.

  • max.active.jobs: Set a (global default) limit on the number of active jobs.

    The Orchestrate Server uses this value in the start constraint and does not allow more than this number of jobs (including child jobs) to be actively running at the same time. Jobs that exceed this number might be queued. See max.queued.jobs, below.

  • max.queued.jobs: Set a (global default) limit on the number of queued jobs.

    This value is similar to max.active.jobs (see above) but it is used in the accept constraint and limits the number of jobs sitting in a queue waiting to be started. Therefore, the maximum jobs that can be present on an Orchestrate Server is max.active.jobs + max.queued.jobs. New jobs are not be accepted by the server if, when added, they would exceed this total.

  • job.finishing.timeout: Set a (global default) limit on the timeout for job completion.

    This value represents the number of seconds that the Orchestrate Server allows a job to execute it's job_cancelled_event() (if defined) before forcibly aborting the job. This prevents jobs from potentially hanging during cancellation.

5.1.2 The Orchestrate Server Authentication Tab

The Authentication tab opens a page with several collapsible sections where you can configure various methods for authenticating both users and resources to the PlateSpin Orchestrate Server.

Resources

The resources in a PlateSpin Orchestrate grid are actually PlateSpin Orchestrate Agents that authenticate or “register” with the PlateSpin Orchestrate Server.

Auto Register Agents: Select this check box if you want the PlateSpin Orchestrate Server to automatically register agents when they first connect to the Orchestrate Server.

Users

Only authenticated users can log into the PlateSpin Orchestrate Server. As an administrator, you can configure this authentication to use an internal user database or to externally authenticate users through an LDAP server.

Auto Register Users

Select this check box if you want the PlateSpin Orchestrate Server to automatically register users when they first connect to the Orchestrate Server.

Enable LDAP

Select this check box if you want the Orchestrate Server to authenticate users externally using an LDAP server. Additional LDAP-related configuration fields are displayed when you select check box.

Administrators

The Administrators list specifies the group names whose membership includes PlateSpin Orchestrate administrators as returned by the specified authentication provider. You can add groups to this list by clicking the button to open an array editor dialog box, which allows groups to be added, removed, and reordered. A group must be in the format <provider>:<group|groupnocase>:<groupname>, where the <provider> is either “ZOS” or “LDAP”. For example, adding LDAP:groupnocase:XyZ allows users reported by the LDAP server as members of a group “xyz”, or “XYZ”, “xYz”, etc. to authenticate as an administrator. To enforce to case-sensitive matching, use LDAP:group:XyZ instead. Non-case-sensitive matching is needed for Active Directory* servers.

Active Directory Service Settings

If you select Active Directory Service in the Server Type drop down list, the following settings are available:

Directory Name: Enter the name of the Active Directory Service server.

Servers: This property is a list of strings containing server:port entries for a list of servers to be used.

Each entry can be of one of three forms:

  • <hostname>

  • <hostname>:<port>

  • <hostname>:<port>:<sslport>

In all cases, <hostname> is a resolvable DNS name or an IP address. If SSL or TLS are in use, however, the host name must exactly match the name on the ADS server SSL certificate.

You can modify this list by clicking the button to open an Attribute Element Values dialog box, where you can add, remove, or change the order of server names.

Advanced: The settings in this section are for more selective ADS authentication.

  • SSL: Selecting this option (assuming that the accompanying Start TLS check box is not also selected and also assuming that the ADS server’s SSL certificate has been installed on the PlateSpin Orchestrate Server JVM) securely connects to the ADS server using SSL encryption.

    The older style LDAP protocol (ldaps://) is used for the connection.

  • Start TLS: Selecting this option immediately promotes the connection to SSL encryption by bypassing the older style protocol in favor of the LDAPv3 Start TLS extended operation on the nonSSL LDAP port. To use this option, the ADS server’s SSL certificate must be installed on the JVM of the PlateSpin Orchestrate Server.

  • Query Account: Enter the account name that is to be used for querying group information on authenticated users.

  • Query Password: Enter the clear text password used to authenticate the query account on the LDAP server.

Generic Settings

When you select Generic LDAP Directory Service as the Server Type, the following additional settings are displayed:

Base Domain Name: Specifies the Root DN of the LDAP server’s directory tree. This must be obtained by the administrator, and is usually in the form of: dc=adsroot,dc=novell,dc=com

User Attribute: Specifies the attribute on a user’s entry that identifies his or her login account name. For ADS servers, this attribute is sAMAccountName.

User Filter: Specifies the name of the filter to be used in the lookup for the user’s LDAP distinguished name.

User Prefix: Specifies the prefix used to define the LDAP subtree within the BaseDN tree that contains user accounts. If you leave this property blank, the Orchestrate Server uses the BaseDN.

For ADS, this prefix is cn=Users.

Group Attribute: Specifies the attribute of a group entry describing the login name of that group.

Group Filter: Specifies a filter to be used in the lookup for group memberships on some LDAP schemas. The filter can use either ${USER_NAME} or ${USER_DN} to substitute that value. For example: memberUid=${USER_NAME}.

Not used for Active Directory authentication.

Group Prefix: Specifies the prefix used to define the LDAP subtree within the BaseDN tree that contains group accounts.

Not used for Active Directory authentication.

Group DNA Attribute: Specifies the directory root where all queries for a user’s group memberships (stored as a list of “member of” attributes on the user’s entry on an ADS server) are to occur.

Nested DNA Attribute: Specifies the attribute of a group entry where subgroups can be queried.

5.1.3 The Orchestrate Server Policies Tab

The Polices tab opens a page that contains a policy viewer for each of the policies associated with the Server Object.

NOTE:You can edit a policy by right-clicking a policy icon, selecting Edit Policy and clicking the Save icon.

5.1.4 The Orchestrate Server Constraints/Facts Tab

The Constraints/Facts tab opens a page that shows all of the effective constraints and facts for the Server object. The server object has an associated set of facts and constraints that define its properties. In essence, by building, deploying, and running jobs on the PlateSpin Orchestrate Server, you can individually change the functionality of any and all system resources by managing an object’s facts and constraints.The Orchestrate Server assigns default values to each of the component facts, although they can be changed at any time by the administrator, unless they are read-only. Facts with mode r/o have read-only values, which can be edited (that is, using the “pencil” icon) in order to view their value(s) but changes cannot be made.